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Abstract 

We investigate two-party cryptographic protocols that are secure under assumptions motivated by physics, namely special 
relativity and quantum mechanics. In particular, we discuss the security of bit commitment in so-called split models, i.e. models 
■ in which at least one of the parties is not allowed to communicate during certain phases of the protocol. We find the minimal 

' splits that are necessary to evade the Mayers-Lo-Chau no-go argument and present protocols that achieve security in these split 

models. Furthermore, we introduce the notion of local versus global command, a subtle issue that arises when the split committer 
, is required to delegate non-communicating agents to open the commitment. We argue that classical protocols are insecure under 

global command in the split model we consider. On the other hand, we provide a rigorous security proof in the global command 
' model for Kent's quantum protocol [ ]. The proof employs two fundamental principles of modern physics, the no-signalling 

r ^ ' property of relativity and the uncertainty principle of quantum mechanics. 

^ '. 
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^| I. Introduction 

' rT! HE goal of two-party cryptography is to enable two parties, Alice and Bob, to solve a task in cooperation even if they do 
1. 



_l not trust each other. An example of such a task is the cryptographic primitive known as bit commitment. A bit commitment 
'— * , protocol traditionally consists of two phases: In the commit phase, Bob commits a bit to Alice 1 , who receives some form of 
i i . confirmation that a commitment has been made. In the open phase, Bob reveals the bit to Alice. Security means that Bob should 
not be able to reveal anything but the committed bit, but nevertheless Alice cannot gain any information about the bit before 
the open phase. While many two-party cryptographic primitives have been defined, oblivious transfer and bit commitment are 
undoubtedly among the most important ones because they form essential building blocks for more complex problems [2]. 
Ideally, we would like to have protocols for such primitives that guarantee security without relying on any subjective (e.g. 
' that a safe is difficult to open) or computational (e.g. that factoring a product of two large primes is difficult) assumptions. 
t— I , Unfortunately, however, it turned out that this is impossible, even if we allow quantum communication between Alice and 
\q ' Bob [3], [4], [5], [6]. Much work has thus been invested into determining what kind of assumptions allow us to obtain security. 
t"^) . Of particular interest to this work are thereby assumptions of a physical nature, leading to information-theoretic security. 

' Classical examples of such assumptions are, for example, access to some very special forms of shared randomness supplied 
r j~^ , in advance [ ], access to a noisy communication channel 2 [8], [9] or a limited amount of memory [10]. Similarly, it has been 
J> ' shown that security is possible if the attacker's quantum memory is bounded [11], [12], [13] or more generally noisy [14], 
[15], [16]. 

Another assumption is that of non- communication . More precisely, one imagines that each party is split up into multiple agents 
d . who cannot communicate with each other for at least some parts of the protocol. Intuitively, the use of non-communicating 
agents can evade the standard no-go argument because while all agents in total have enough information to cheat, no single 
agent can cheat on his own. 

On one hand, such non-communicating models have received considerable attention in classical cryptography, where such 
agents are often referred to as servers [ ] or pro vers [18]. For example, Ben-Or et al. [ ] considered a simple protocol 
for bit commitment that is secure against classical attacks 3 as long as the committer (Bob) is split up into two agents, Bob 
and Brian, who are not allowed to communicate throughout the protocol. This protocol can also be modified to give security 
against quantum adversaries [ I ]. Similarly, many classical protocols for other tasks have been proposed under the assumption 
of non-communication, such as distributed oblivious transfer [20], i.e. symmetric private information retrieval [21], [22], [17], 
or simple private information retrieval [ I]. In all such protocols it was assumed that the agents of one party can never 
communicate during any point in the protocol, or thereafter. 

J. Kaniewski, M. Tomamichel, E. Hanggi and S. Wehner are with the Centre for Quantum Technologies, National University of Singapore, 3 Science Drive 
2, Singapore 117543, email: j.kaniewski@nus.edu.sg. 
Manuscript received xxx; revised yyy. 

'Usually it is Alice who commits a bit to Bob. We decided to swap Alice and Bob as it allows us to simplify the notation in the proof of our main result. 
Throughout the paper it is Bob who commits a bit to Alice. 

2 To be more specific what is needed is a channel with a guaranteed level of noise. It is important that the noise is truly random and cannot be influenced 
by either party. 

3 Throughout this paper we will use the word classical to mean not quantum. 
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On the other hand, physicists have considered so-called relativistic assumptions for cryptography [24], [25], [26], [27], [1]. In 
essence, this takes the form of non-communicating models where the fact that a party's agents cannot communicate is justified 
by their physical separation and the finite speed of light. The key difference to classical non-communicating models is that in 
relativistic models the separation is generally only imposed during certain periods of the protocol, whereas classical models 
generally assume a separation, i.e. non-communication, for all times. For example, relativistic protocols may only demand a 
split into several non-communicating agents after the commit phase of a bit commitment protocol is over [27], [1]. Another 
assumption based on relativity is the notion of guaranteed message delivery times (see Appendix C) or the assumption of an 
accelerated observer 4 [28]. 

Here, we will consider the security of bit commitment protocols under the assumption that one (or both) parties Alice and 
Bob, are forced to be split into non-communicating agents. Motivated by the relativistic protocols of [27], [1], we thereby 
do not demand that the parties are split into non-communicating agents for all time, but merely during certain phases of the 
protocol. A bit commitment protocol can be naturally divided into: the commit phase, the wait phase, the open phase, and the 
verification phase (see Section II-E). We thereby introduce the explicit notion of the wait and verification phases, which are 
usually only implicitly defined, in order to precisely divide the overall interaction between Alice and Bob into time frames. 
Our first contribution is 

• A classification of non-communicating models into subclasses which are characterised by the phases in which Alice or 
Bob is split into non-communicating agents. We find that we can reduce our considerations to two minimal models, 
namely the one in which Alice is split during the commit and wait phases (a-split) and the one in which Bob is split 
during the wait and open phases (/3-split). Either of these two models allows to evade the no-go theorem because the 
operations required for cheating are forbidden by the split. 





(a) Local command 



(b) Global command 



Fig. 1: If Bob is required to perform two separate openings it becomes important whether the command which bit he is 
supposed to unveil is transmitted to just one or both agents. 



It turns out that in certain split models a new, subtle issue needs to be addressed. If a cheating Bob is split into two agents, Bob 
and Brian, during the open phase of the commitment, who decides which bit should be opened? In standard bit commitment 
protocols this question does not arise, as there is only one cheating party. Bob will simply announce to Alice that he wishes 
to unveil a particular bit, and try to provide a matching proof. However, in a model of several distinct agents, Bob and Brian 
could conceivably base the decision about which bit to unveil on some external input. For example, depending on the latest 
stockmarket news they both decide to open a or a 1, even though they themselves cannot communicate. Intuitively, we would 
like a bit commitment scheme to be secure in the latter setting, analogous to the case of a single party which can of course 
also base its decision on external events. To capture this subtlety, we introduce an external verifier, Victor, who dictates which 
bit should be unveiled. We thereby speak of local command if Victor only issues a command to one of the two agents, Bob. 
We speak of global command if Victor issues a matching command to both Bob and Brian. Note that Victor should be thought 
of as an external verifier invoked solely to quantify Bob's cheating power and that he plays absolutely no role when both Alice 
and Bob are honest. The local and global command models will be defined in purely mathematical terms and the only reason 
to introduce Victor is to give these mathematical definitions some intuitive meaning. Note that a related concept has recently 
been introduced independently in [ ] under the name of the oracle input model. In a model without separated agents, the 
local and global command models are equivalent but we will see that they differ in a relativistic setting. More precisely, our 
second contribution is to 

• Introduce the distinction between local and global command in the models based on the /3-split. We show that there is 
a simple classical protocol that is secure under the local command. However, we proceed to show that there exists no 
classical protocol that is secure under global command in the class of /3-split models. 
The latter naturally leads to the question, whether there is a quantum protocol that is secure even when Victor issues a global 
command. A quantum protocol that is likely to be secure under global command was given in [27]. Another quantum /3-split 
protocol was proposed by Kent [ ], which has the very appealing feature that it can be implemented by the honest parties 

4 The authors consider two inertial participants sharing a noiseless quantum channel in the presence of a uniformly accelerated eavesdropper. They show that 
any information the eavesdropper manages to acquire is inherently noisy which allows the two honest participants to communicate securely. It is well-known 
in cryptography that most cryptographic primitives can be implemented securely as long as an external source of guaranteed noise is present. 
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using only single qubit measurements in BB84 [ ] bases, without the use of any quantum memory. Yet, no explicit security 
bounds were provided in [ ]. Our final contribution is to 

• Provide a formal security proof and security bounds for the protocol proposed in [ ] in the global command model. 
We want to stress that a sketch of a security proof was given in [ ] already; however, we were unable to derive explicit security 
bounds from the arguments provided there. We thus devised an alternative proof, which allows us to find these parameters 
explicitly. 

Our proof requires two ingredients: First, we make use of the fact that the two agents cannot communicate. Second, we 
employ an uncertainty relation in terms of min- and max-entropies [ ]. This relation was previously used to prove the security 
of quantum key distribution [ ], and our result illustrates its power to prove security of other cryptographic primitives. 

Outline: The paper is structured as follows. Section 11 contains some basic definitions and technical tools essential for the 
proof. We also remind the reader what a bit commitment protocol is and what conditions it should satisfy. In Section III we 
introduce the concept of split models and, by examining the standard no-go argument, we find the minimal split requirements 
that might give us security and for these we state generalised security requirements. We also show how certain splits arise from 
special relativity if we require certain parts of the protocol to take place at space-like separated points. Section IV presents 
simple protocols that achieve security in the minimal split models. Section V is entirely dedicated to the bit commitment 
protocol proposed by Kent [1]: first we describe the protocol and then we analyse its security to obtain explicit security 
bounds. 



II. Preliminaries 

A. Hamming distance 

Let [n] = {1, 2, . . . , n} and let x be an n-bit string, x g {0, 1}", and denote the fc-th bit of x by x k . Define the Hamming 
distance between two strings x,y g {0, 1}™ to be the number of positions at which they differ 

dn(x,y) := \{k E [n] :x k ®y k = 1}|. 



B. Probability distributions 

Let X be a random variable taking values in X and distributed according to Px- The Renyi entropy of order a E R + \ 
{0, l,oo} is defined as [33] 

H a (X) : = ^ log (]TP X Or)"). 

The special cases a € {0, l,oo} are defined as limits H a (X) = \imp-,. a Hp(X). Note that Hq(X) — log \{x E X : Px(x) > 
0}| and that the Renyi entropies exhibit mono tonicity 

n a {x)>n p (x) <=> a <p. 

For j^l = 2 and a = 1 we obtain the binary entropy 

%) := -qlogq - (1 - g)log(l - q). 

Let Pxy\uv be a joint conditional probability distribution. Pxy\uv satisfies no-signalling if for all u E U,x E X the value 
of the sum 

P xy\uv(X = x,Y = y\U = u,V = v) 

yey 

does not depend on a particular choice of v E V. 



C. Quantum notation 

Let p be a quantum state on a Hilbert space H, i.e. a positive semi-definite operator with trp = 1 acting on W. Let S(H) 
be the set of all states on H. We say that pxA is a classical-quantum (cq) state if it can be written in the form 

Pxa = Px{x)\x)(x\x <E) p x , 

x£X 

where Px is a probability distribution and p x E S(Ha)- Then, we define the probability of guessing X given access to the 
quantum system A as 

Pguess 

(X\A) := max ^ P x (x)tr (M x p x ), 

x£X 
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where the maximisation is taken over all positive operator- valued measurements (POVMs) on Ha- The min-entropy of X is 
defined as H m ; n (X) := H oa (X). The min-entropy of X conditioned on A is defined as 

R min (X\A) :=-log 

"guess 

(X\A). 

We say that pxy is a classical-classical (cc) state if it can be written in the form 

Pxy = ^2 p XY(x,y)\x)(x\ x <E)\y)(y\y- 
xex,yey 

The max-entropy of X is defined as H roax (X) := Hi(X). The max -entropy of X conditioned on Y is defined as 

H max (A|F) := log ]T Pr[F = y] ■ 2 H »«W^). 

D. Uncertainty relation 

Let pabc be any tri-partite state and let {M z } ze 2 and {iV x } xe ^ be two POVMs on the A subsystem whose measurement 
results are represented by classical random variables Z and X. The following cq-states arise from performing the measurements 
mentioned above 5 : 

Pzb ■■= ^2 \ z){z\z®tiAc(M z pABc) and 

PXC ■= X! \ X )( X \ X ® tT AB(N x p A Bc)- 

xex 

Theorem II.l. [31 ] For any tri-partite state pabc the following uncertainty relation holds 

H ma x(Z|-B) + H min (X|C)>log-, (1) 

c 

where the entropies are evaluated for pzb an d pxC' respectively, and c := max ZI IV-^z ■v/^eIoo- 
Zs. Bit commitment 

Bit commitment is a primitive that allows Bob to commit a bit b to Alice in a way that is both binding (Bob cannot later 
convince Alice that he actually committed to 1 — 6) and hiding (Alice cannot figure out what b is before Bob decides to 
unveil it). In this section we discuss how to describe a bit commitment protocol 6 and how to formalise the desired security 
requirements. 

Any action taken by Alice or Bob can be described by a completely positive, trace-preserving (CPTP) map and the entire 
protocol can be defined by specifying these maps. In this paper we will denote maps performed by Alice and Bob by A and 
<I>, respectively. The subscript X —> Y means that the map acts on (reads and/or modifies) the existing register X and creates 
a new register Y. Moreover, identity is assumed on any subsystems not explicitly mentioned within the map: Ax^y(pxyz) 
stands for (Ax->y ® '^z){pxyz)- 

The usual description of a bit commitment protocol divides it into two phases: commit and open. However, as our scenarios 
rely on timing and communication constraints, it is useful to be more explicit about the structure of the protocol. We divide the 
protocol into four phases: commit, wait, open and verify. The commit and open phases are the essence of the protocol: they are 
the only phases during which Alice and Bob interact. The wait phase acts merely as a separator (this is when the commitment 
is valid), while in the verify phase Alice uses the information collected in the previous phases to verify the commitment and 
decide whether to accept or reject it. 

Let pabc be the state that Alice and Bob share at the end of the commit phase if they are both honest. 7 The subsystems A 
and B are controlled by Alice and Bob, respectively, while subsystem C is a classical register in Bob's posession indicating 
which bit Bob has (honestly) committed to. Let be the quantum operation that Bob applies in the open phase and it 

should be thought of as extracting a proof of his commitment from the subsystems B and C and storing it in the (possibly 
quantum) subsystem P 8 

PABPC = ^BC^p(PABc)- 

In the last step of the open phase Bob passes the subsystems P and C to Alice. Note that as C is a classical register Alice 
is automatically assumed to read it and, hence, she finds out what Bob claims to have commited to. Let A^pjj^p be the 

5 To simplify the notation we will omit all the subsystems on which the projector equals identity. Hence, in our shorthand notation M z pABC stands for 
(Mz ® Ibc)pabc- 

6 Note that we do not consider the most general class of protocols as we assume that the open phase involves one-way communication from Bob to Alice 
only. 

7 Any private or shared randomness is included in the description of the state, hence, given a protocol we can extract a unique Pabc- 
8 The honest opening map will simply read the value of the classical register C, hence, its state will not be affected. 



5 



quantum operation that Alice applies in the verify phase, which creates a classical binary register (flag), F, indicating whether 
the commitment is accepted or rejected 

PABPCF = ^APC^F^PABPc), 

and let us denote a (classical) basis of the subsystem F by {| accept), | reject)}. Describing the honest protocol suffices to 
define correctness. 

Definition II.l. A bit commitment protocol is perfectly correct pabc satisfies 

(accept\ti A BPC ^a1^c^f(^bc^p(pabc))\ accept) = 1. 

If one of the parties is dishonest and does not follow the protocol then the state shared between Alice and Bob is no longer 
well-defined. We will use a to denote such a dishonest state 9 to distinguish them from the honest states denoted by p. Security 
guarantee for honest Bob states that Alice finds it difficult to guess the value of his commitment before the open phase. If 
Alice is dishonest and does not follow the protocol then the state shared at the end of the commit phase, crises does not 
necessarily equal pabc- However, it is important to note that the classical register C is still well-defined since Bob is honest. 
Let K.a be the set of all tri-partite states that Alice might enforce at the end of the commit phase. Informally, a bit commitment 
is J-hiding if for any cheating strategy the probability that Alice guesses the committed bit correctly before the open phase is 
upperbounded by \+ 8. 

Definition II.2. A bit commitment protocol is <5-hiding all a abc G K-a satisfy 

Pguess(C*|A) < - +5. 

Similarly, if Bob is dishonest then different states may be reached at the end of the commit phase and let JCb be the set of 
all states that he might enforce at the end of the commit phase. Note that the classical register C is no longer well-defined so 
we will simply talk about bi-partite states gab € K-b- In order to cheat successfully Bob must be able to produce valid proofs 
for both values of C, which implies that there are two distinct dishonest opening maps: Bob applies ^ C g e ^p C if he chooses 
to open and Qp^pQ if he chooses to open 1. The cheating map ^ C g e ^p C extracts the proof of having committed to b from 
the subsystem B, stores it in the subsystem P and stores b in the newly-created register C 

°ABP®\b){b\c = &BW PC {°AB). 

In the last step Bob gives P and C to Alice, who verifies the commitment using the honest map. Let p b be the probability 
that Alice accepts Bob's unveiling of b 

p b = (accept | tr^spc ^a^c^f^b^pc^ab))] accept). (2) 

The security conditions on po and p\ depend on whether we are in the classical or quantum framework. Classically, we require 
that at the end of the commit phase at least one of {po,pi} is small. However, this requirement turns out to be too strong in 
the quantum world as explained in [34] and a weaker security condition is proposed in the same paper. 

Definition II.3. A bit commitment protocol is e-weakly binding if for all gab € K-b and for all cheating maps {^g^'p^lbefo.i} 
we have po + p\ < 1 + e. 

Unfortunately, this definition does not give us composability (see Appendix B-A for a counter-example). On the other 
hand the usual composable definition used for quantum protocols introduced in [ ] turns out to be too stringent for the 
scenarios considered in this paper (see Appendix B-B for details). Hence, throughout the paper we will stick to the weaker, 
non-composable definition. 

III. Relativistic models 

Before considering relativistic models let us briefly examine the original no-go argument (for the full version please refer 
to [3], [4]) to see how it might be circumvented by imposing certain communication constraints. 

9 We make no assumptions on what the dishonest party stores in their part of the state. In particular it might contain some ancillary systems to be used 
later. 
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A. The original no-go argument and the split models 

First note that we can restrict ourselves to protocols in which the state shared between Alice and Bob is pure at all times. 10 
Let | 4>\b) be th e state at th e enc ' °f tne commit phase if Bob has decided to commit to b. We require that Alice should not be 
able to distinguish the two cases just by looking at her subsystem which implies that p A = p\, where p\ = tis | (^ab) ('Pab I- 
By Uhlmann's theorem [35] there exists a unitary Ub acting on the subsystem B alone such that Ub\4>ab) ~ I'P'ab)- Hence, 
if the states corresponding to both commitments are the same on Alice's side then Bob can cheat perfectly. This argument can 
be extended to the case in which p\ and p\ are close in trace distance (which means that they are difficult to distinguish) 
and then one can show that Bob can still cheat with high probability (for the exact trade-off based on this idea refer to [36]; 
for the optimal bounds on quantum bit commitment see [37]). 

What is a split model? Informally, a split model is a model in which at least one party is required to delegate multiple agents 
to perform certain parts of the protocol in a non-communicating fashion. In this paper we only consider models in which we 
require a party to delegate at most 2 agents. The basic rule of two-party cryptography is that there are no third parties: the 
world is split between Alice and Bob only, anything that does not belong to Alice is fully controlled by Bob. Now suppose 
that the split model requires that there are two agents of Bob (Bob and Brian). It is still true that Bob and Brian together 
control everything that does not belong to Alice. However, the class of operations they can perform in a non-communicating 
fashion is now restricted, which might give us security. It is clear that the only way to achieve security is to split Alice during 
the period for which security for Bob should hold or vice versa. Therefore, we arrive at two relevant splits. 

« a-split : Alice is split during the commit and wait phases. 

• /3-split : Bob is split during the wait and open phases. 



1. commit 


2. wait 


3. open 


4. verify 



a : Alice is split 



/3 : Bob is split 
Fig. 2: The two relevant types of separations: a and /3. 

The standard no-go does not apply to the a-split model because while p\ might be globally fully distinguishable from p\ 
they might locally look the same for both Alice and Amy (her agent). The /3-split evades the no-go because the global unitary 
Ub might be impossible to perform by Bob and Brian without communication. Note that whenever we say that a party is split 
during two (or more) consecutive phases of the protocol we mean one long split throughout the whole period rather than a 
sequence of short ones (the agents are not allowed to get together in between). 

We treat the splits as a resource. Hence, we are interested in the minimal splits that give security and we will show that a 
and /3 are such minimal splits. What about models that impose strictly more restrictions than those? On one hand any protocol 
secure in the minimal split will remain secure in the more split model, we only need to ensure it is still feasible. E.g. the 
protocol from [ ] was originally proposed in the model in which both Alice and Bob are split during the wait and open phases, 
while our analysis applies to the /3-split model (strictly less split). Therefore, our proof automatically extends to the original 
setting. On the other hand, imposing more split might allow for new, simpler protocols. E.g. for the case of Bob being split 
at all times there exists a number of protocols [19], [18], [24], [25]. 

The number of possible split models is rather large and examining all of them case-by-case is unlikely to give any valuable 
insight. Hence, in this paper we only focus on the minimal splits: a and (3. It is clear that a split imposed on Alice will only 
affect her cheating power (not Bob's) and it is only the security guarantee for honest Bob that needs to be generalised. In the 
a-split Bob commits to a bit by talking to Alice and Amy (subsystems A and A', respectively) and a natural generalisation of 
the hiding condition is to require that neither of them acquires significant knowledge about the value of C. In analogy to the 
non-split case let JCaa' be the set of states that dishonest Alice and Amy can enforce at the end of the commit phase. Then 
the split counterpart of Definition II. 2 can be written as follows. 

Definition III.l. An a-split bit commitment protocol is <5-hiding if all o~aa'bc £ K-AA' satisfy 

Pguess(C|X) < 1 + 5 for X = {A, A'}. 

Similarly, in the /3-split let K-bb 1 be the set of states that dishonest Bob and Brian can enforce at the end of the commit 
phase. In the introduction we mentioned the concept of an external verifier Victor who challenges Bob to open a particular 
bit and this is how we quantify Bob's cheating power. In the case of Bob and Brian performing two openings separately we 
need to specify whether Victor only tells Bob what to unveil or both Bob and Brian receive the message. We call these two 

10 We assume that Alice and Bob start in a pure state and then all the actions can be performed coherently. 
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scenarios the local and global command models, respectively. The first variant corresponds to the situation in which Bob makes 
the decision while Brian intends to behave consistently. If b is the bit that Bob intends to unveil then the cheating maps in the 
local command model take the form 



cheat, local, b 
BB'^PP'CC 



cheat,?? 
B->PC 



reheat 
^B'^P'C 



i.e. Bob's actions depend on b but Brian's behaviour is independent of it. 

The natural motivation for the second scenario is a situation in which the agents are not allowed to communicate with each 
other but they might receive information from the outside world, hence, they both know b. The cheating maps in the global 
command model take the form 



cheat, global, b 
BB'^PP'CC 



= $ 



cheat, b 
B->PC 



cheat, b 
B'^P'C" 



i.e. both opening maps depend on the value of b. Using the definition of pi,, the probability of successfully opening b, introduced 
in (2) we can state the security condition in the /3-split model. 

Definition III. 2. A (3-split bit commitment protocol is e-weakly binding in the local (global) command model if for all 
& ABB' € ICbb 1 and all the cheating maps allowed in the local (global) command model we have po + p\ < 1 + e. 

The two variations of the /3-split model turn out to be rather different from the security point of view: there exist simple 
classical protocols secure in the local command model, while no classical protocol can be secure in the global command model 
(for details please refer to Section IV-B). Hence, to satisfy this stronger security requirement one needs to resort to quantum 
protocols and we investigate one of them in Section V. 

ft 



T 



R 



P 



-1 







1 



Fig. 3: Light gray regions represent the light cones of Q and R, while dark gray corresponds to the common past or future. 
P is the latest point of the common past, while T is the earliest point of the common future. 



B. Relativistic motivation 

Special relativity states that information cannot travel faster than the speed of light. Hence, if we are guaranteed that sites X 
and Y are at some well-defined distance we can calculate the minimum time it takes for a message to travel from X to Y (or 
vice versa). This motivates guaranteed message delivery time models, in which transmitting messages between certain parties 
takes a finite amount of time. To the best of our knowledge, these were the first models in which relativistic bit commitment 
was proposed [24], [25] (please refer to Appendix C for a brief summary of what is known about these models). Special 
relativity can also motivate certain split models as explained below. 

We consider the model proposed by Kent [27], [1]. Take the speed of light to be 1, let (x, t) be the coordinates for Minkowski 
space and define the following three points : P = (0, 0), Q = (—1, 1), R = (1, 1). It is clear that P is the latest point that 
belongs to the common past of Q and R (Fig. 3). Hence, no signal emitted after t — (regardless of where it was emitted 
from) can reach both Q and R. Kent's bit commitment protocols take advantage of this scenario by assuming that each party 
has an agent at P, Q and R and they are allowed to send information at the speed of light. The commit phase happens at P 
while the open phase happens at Q and R. The resulting communication constraints are illustrated in Fig. 4. It is clear that 
the communication constraints following from this configuration in space-time are strictly stronger than those of the /3-split. 
This serves as a proof of principle that at least certain split models can be physically realised by requiring different parts of 
the protocol to take place at different, space-like separated points. 



s 
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Fig. 4: Effective communication constraints imposed by Kent's model [27], [1]. 



IV. Bit commitment protocols for the minimal splits 

In Section III-A we argued that either a or /3-split needs to be imposed for security to be possible. In this section we give 
explicit examples of protocols which are secure in each of the two cases. 



A. Protocols based on a-split 

Commit phase 



Wait phase 



Open phase 



Alice 



Amy 



Alice 



Amy 



Alice 





Bob Bob Bob 

Fig. 5: The a-split model: Alice is required to be split during the commit and wait phases. 

The a-split allows for a simple bit commitment protocol based on secret sharing. Such protocols will have the feature that 
once the commit phase is over, the combined systems of Alice and Amy determine the committed bit and the commitment 
only lasts as long as the separation is maintained. This is similar to the distributed oblivious transfer scenarios [20] in which 
security disappears as soon as the agents are allowed to communicate. 



Protocol 1: Bit commitment from secret sharing 

1) (commit) Bob commits to 6 G {0, 1} by generating a random bit r and sending b © r to Alice and r to Amy. 

2) (open) Alice and Amy calculate b — (b © r) © r. 



Security against classical adversaries follows directly from the properties of secret-sharing. It is also secure against quantum 
adversaries (see Appendix D-B for details). As there exists a classical protocol that is perfectly secure (even against quantum 
adversaries) in this scenario quantum mechanics gives us no advantage for the purpose of bit commitment. 



B. Protocols based on fi-split 
Commit phase 



Wait phase 



Open phase 



Alice 



Alice 



Alice 





Bob 



Bob 




Brian 




Bob 




Brian 



Fig. 6: The /3-split model: Bob is required to be split during the wait and open phases. 



In contrast to the a-split case commitments based on the /3-split can be made permanent — Bob and Brian can always refuse 
to participate in the open phase and Alice will learn nothing about their commitment. As discussed in Section III-A we need 
to distinguish between the local and global command models. 
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1) Security in the local command model: It turns out that in the /3-split model under the local command there exists a 
simple classical protocol that achieves security. 



Protocol 2: Bit commitment in the local command model 

1) (commit) Bob chooses a bit b and shares it with Brian. 

2) (open) Bob and Brian independently send to Alice a bit they claim to have committed to (denote these bits by x 
and y, respectively). 

3) (verify) Alice accepts the commitment of b if b = x = y, else she rejects. 



It is easy to convince ourselves that the protocol is secure (according to the weakly binding definition). The problem that 
Bob and Brian face is to correlate the bits they are trying to unveil. In order to do that they either have to agree on the bit 
in advance (which corresponds to an honest commitment) or they would have to violate no-signalling. For a more detailed 
security analysis we refer to Appendix D-C (see also the independent discussion of this and related points in [29]). 

2) Security in the global command model: We have seen that in the local command model there exists a very simple bit 
commitment protocol that achieves security. Unfortunately, as soon as we switch to the global command the protocol becomes 
insecure — Bob and Brian can cheat perfectly. Let us consider what is and what is not possible in the /5-split model under the 
global command. 

a) Classically: Classically, it is not possible to achieve security in the /3-split model under the global command and the 
informal argument goes as follows. As the protocol needs to be correct Bob and Brian must be able to honestly commit to 
either bit, i.e. they must be able to agree on unveiling strategies" that will make Alice accept either bit even without any 
further communication between Bob and Brian. Since the protocol is hiding the interaction during the commit phase cannot 
give away any information about the committed bit and, therefore, both strategies remain valid until the beginning of the open 
phase. Hence, whichever bit Bob and Brian are told to unveil they can always succeed. 

b) Quantum mechanically: The informal argument presented above does not apply in the quantum world due to the 
no-cloning principle. The opening strategy may rely on some quantum system that is available to Bob right before the split — 
but cannot be shared with Brian without loss. The first protocols in the /3-split model were proposed by Kent [27], [1] and 
Section V focuses on one of them. 

V. Bit commitment by transmitting measurement outcomes 

We introduce a variant of the bit commitment protocol by Kent [ ] and then present a security proof that leads to explicit 
security bounds. 

A. The protocol 

The original protocol presented in [ ] uses BB84 states. However, for the purpose of the proof we analyse its purified 
analogue (which is equivalent from the security point of view). Denote the computational basis by Bo = {|0), |1)} and the 
Hadamard basis by B\ = {[+), \ — )}• 

Note also that the original scenario described by Kent makes strictly more assumptions (because it requires both parties to 
be split rather than just one). However, we will see that whether Alice is split or not does not affect the security. Hence, the 
security proof for the /3-split model presented here automatically applies to the setup originally proposed by Kent. 



Protocol 3: Bit commitment by transmitting measurement outcomes 

1) Alice creates 2n EPR pairs and sends one half of each pair to Bob. 

2) (commit) Bob commits to a bit b by measuring every qubit he receives in B\,- Denote the outcomes by T (a classical 
bit string of length 2ri). 

3) (end of commit) Bob splits up into two agents: Bob and Brian. Each of them holds a copy of T. No more 
communication is allowed between Bob and Brian until the end of the protocol. 

4) (open) Bob opens the commitment by sending b and T to Alice. Brian does the same. 

5) Alice picks a random subset Z C [2n] of size n and let X := [2n] \ Z. She measures the qubits from Z in the 
computational basis and the qubits from X in the Hadamard basis. Denote her measurement outcomes by S (a 
classical bit string of length 2n). 



"Bob and Brian agree on unveiling strategies during the commit phase, which they are allowed in the /3-split model. This argument might not apply in 
the case of stronger splits (e.g. Bob and Brian split at all times). 
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6) (verify) Alice performs three checks : 

• Alice checks whether the values of b submitted by Bob and Brian are the same. 

• Alice checks whether the strings submitted by Bob and Brian are the same. 

• Alice checks whether the strings submitted are consistent with S (consistency check on qubits she measured in 
B b only). 

If all three checks pass then the opening is accepted. 



As mentioned in Section II-E a secure bit commitment protocol should satisfy three conditions. If Bob is honest he will 
choose a bit b, perform the correct measurement to obtain the (classical) string T. After the split Bob and Brian will both 
possess identical copies of b and T, which they send to Alice during the open phase. Hence, the first two checks clearly go 
through. The third check goes through because honest Alice prepared perfect EPR pairs, measured them to obtain string S 
and so strings S and T must be perfectly correlated on the qubits measured in the same basis. Hence, the protocol is perfectly 
correct. Security for honest Bob is also easy to see. Alice does not receive any information before the open phase, hence, she 
cannot learn anything about Bob's commitment by no-signalling and the protocol is 5-hiding for 5 = 0. Therefore, we only 
analyse security for honest Alice, i.e. show the following result: 

Theorem V.l. Protocol 3 in the /3-split model under the global command is e-weakly binding, where 

e= mf 2 1 -^ 1 ~ h ^+2exp(--n6 2 ), 

56(0,1) V 2 / 

where h(-) is the binary entropy function as defined in Section II-B. 

Note that not only does e vanish in the limit n — > oo but also the rate of decay is exponential in n (n is the number of 
rounds played, hence, the resources necessary to execute the protocol grow linearly in n). The fact that e decays exponentially 
would be a great advantage if the protocol were to be implemented experimentally and shows that the protocol might be of 
practical interest. 

B. Security for honest Alice 

1) Notation: Let us denote the state of the system at the end of the commit phase by a abb 1 , where subsystems A, B and 
B' belong to Alice, Bob and Brian, respectively. Alice is honest so we know the exact state of her subsystem — it contains 
2n qubits, which have already been partitioned into sets Z and X. This justifies a natural partition of the subsystem A 
into subsystems Az and Ax, each containing exactly n qubits. Let quantum operation A b G for G G {Az,Ax}, b G {0, 1} 
correspond to measuring all qubits from the subsystem G in the basis Bb- The relevant projectors can be formally defined as 

pb.>.-[H*»] b \a)(a\ G [H® n ] b , (3) 

where s G {0, 1}™. Denote the environment by E and the subsystem used to store the measurement outcomes by F. Then A^, 
is defined as 

p F E ■= A G (p GE ) = ^ \ S )( S \ F ® tr G { F G S PGe)- 

s 

The three relevant measurements are A Az , , — the first two are actually performed in the honest protocol, while the 
third one is a virtual measurement, required for the proof only. Bob and Brian are expected to extract a string from their 
respective quantum systems. Let us simplify the notation introduced in Section II-E and denote Bob's map intending to open 
b and producing string T as the output by Q b B . Similarly, for Brian denote the map intending to open b 1 by <fr b B , and the 
output string by T". Observe that <fr b B (^s') is restricted to operate on the subsystem B (B 1 ) only. The string T corresponds 
to measuring all 2n qubits. Once Alice has chosen the partition into Z and X we can naturally split it into two substrings 
T = {Tz,Tx}, which correspond to the outcomes obtained from the qubits from sets Z and X, respectively. Splitting T into 
two substrings is useful because when Alice has to decide whether to accept or reject the commitment she will only look at 
one of the substrings (the one measured in the same basis). Clearly, analogous partition applies to T" = {T Z ,T X }. 

2) No-signalling constraints: Let us think of Alice as talking to Bob and Brian separately and making a separate decision 
(whether to accept or not) for each of them. We can see that this gives rise to a joint probability distribution with two inputs 
and two outputs: the inputs are the bits that Bob and Brian were asked by Victor 12 to unveil (b and b' , respectively), while 
the outputs are Alice's binary ({accept, reject}) outcomes (one on each side). We have already defined the maps that Bob and 
Brian will apply so now we just need to specify what the tests on Alice's side are. As described in the protocol Alice will 

12 We are in the global command model so both Bob and Brian know what they are trying to unveil. 
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check whether the relevant substring (determined by the partition into Z and X) is identical to her measurement outcomes 
and these checks can be expressed as projectors. E.g. if Bob tries to open b = (b = 1) Alice will apply II^ (fig), where 



n° R := V 



s){s\s z ® \s)(a\i 



To check Brian's opening she would apply H B , or Ii B , , which can be obtained from the projectors above by replacing T with 
T". Note that the opening maps performed by Bob and Brian and the tests performed by Alice allow us to evaluate the joint 
probability distribution. As Bob and Brian act on disjoint quantum systems and the tests performed by Alice are classical the 
probability distribution must satisfy no-signalling. Let us start with a no-signalling table. 13 

Alice and Brian 

y = o b'-- 



accept 



Alice and Bob 



reject 



1 



reject 



accept 



accept 



Pa 



021 



reject 



«22 



reject 



0-23 



-- 1 

accept 



024 



034 



Pi 



Note that we replaced certain fields (an and 044) by the probability of successfully opening and 1 (po and pi), respectively. 
This follows from the definition of p^ in the global command model : 



Pd ■= Pr[accept, acceptjfe = d,b' = d]. 



(4) 



Also, we have replaced 014 by a because it turns out to be the quantity we will bound in the second part of the proof. The 
following lemma uses the no-signalling principle to find an upper bound on the sum of po and p\. 

Lemma V.l. No-signalling between Bob and Brian implies that po + p\ < 1 + a. 

Proof: Consider the following no-signalling constraints : a + 024 = 034 + pi and 021 + 022 = 023 + «24- Moreover, we 
know that each quarter adds up to 1 so po + ayi + 0,21 + 0,22 = L Combining the two conditions gives 

Po + Pi = 1 — 0-12 — a 2i - a 2 2 + a + a 2 4 — 034 = 1 — &i 2 — a 2 3 + a — a 34 < 1 + a. 

■ 

Hence, it is enough to show that as the number of rounds n increases a can be made arbitrarily small, which is the focus 
of the next section. 

3) Impossibility of guessing both strings: The probability a corresponds to Bob trying to unveil b — 0, Brian trying to 
unveil b' = 1 and both openings being accepted. Let Ps z S x t z t x t' z t' x be the state after all three parties have performed their 
measurements (note that this state is purely classical) 

PS Z S X T Z T X T' Z T' X ■= {^A Z ® ^A X ®$>°B® ®B>)p A Z A X BB' ■ 

As a is the probability that Ps z S x t z t x t' z t' x passes the relevant tests it can be written as 

a = tTilfgU^, PSzSx t z t x t z t x )- 
As operators acting on disjoint subsystems commute we can change the order slightly 

a = tiiU° B U 1 Bl p SzSxTzTxTkT ^ = tY(U B U B ,(A° Az ® ® $>% <E> & B ,)p 
= tr(n^n^(A^ ® <S> B ,)(A° Az ® *° b )pa„a x bb>) 



(5) 



A Z A X BB' , 



tr {li B ,(K\ x ® a&O [n° B (A^ ® 3>%)p 



JA Z A X BB 



])■ 



Define 



pass 
Pa x T x B 



p := tr (U B (A° Az ® ® b )pa zAx bb>), 
1 



P 



^S Z T Z 



n B (K Az ®^ B ) P 



A Z A X BB' 



It is easy to see that p is the probability that Bob passes his test and fr AxTxB , is the normalised state conditioned on passing. 
Hence, a can be written as 

a = tr (D^, (A^ ® ^ b ,)pZt x b') ' P- (6) 



13 The variables that do not appear in our argument have been replaced with placeholders. 
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This way of writing a allows us to apply Theorem II. 1 to the tri-partite state P^a x t x b 1 • 
Lemma V.2. For any strategy adopted by dishonest Bob 

a< inf 2 1 - n ^ 1 - h ^+2exp(--n6 2 ). (7) 
<5e(0,i) V 2 / 

Proof: The trace on the right hand side of (6) corresponds to the probability that Brian guesses Sx correctly by applying 
his opening map on his subsystem conditioned on Alice accepting Bob's opening. The guessing probability using a fixed map 
$3, is upperbounded by the optimal guessing probability [ ] which can be written in terms of the min-entropy. Hence, 

2 = tr (n^A^ ® Zl.W:^,) < 2-*-^ B \ (8) 

where the min-entropy is evaluated on the state ps x B' '■= ^T x ^a x ((^AxT x b')- ^° use trie uncertainty relation (1) we also need 
to consider p$ Tx ■— ^B' ^a x (Pa x t x B')> which would be obtained if Alice decided to make the third (virtual) measurement 
in a complementary basis. Combining (1) with (8) gives 

P ~ 

where H mSiX (Sx\Tx) is evaluated on p§ x x x - Note that now we just need to bound the classical conditional max-entropy 
between two classical random variables (the state p§ x x ' s P ure ly classical). It turns out that it is enough to show that the 
Hamming distance between Sx and Tx is small with high probability. To get such a bound we need to examine the (fully 
classical) state Ps z s x t z t x := trs ' [C^A ® A.*® <&g Grids') p abb']- The f act that Z and X are random subsets of [2n] allows 
us to derive the following inequality from the Hoeffding bound [39] (details in Appendix A). 



Pr 



dn{Sx,Tx) >SnAdu(Sz,T z )=0 



rxp ( -\n5 2 ) =: 1 10) 



We can also write it as conditional probability 

e 



Pr 



dn(Sx,Tx)>5n\du(S z ,T z )=0 



< 
P' 



because da(Sz,Tz) — is equivalent to Bob passing the test (and happens with probability p as defined in (V-B3)). Let 
< S < g and define a binary event, T, such that 

r [O if du(Sx,T x ) < Sn, 
[1 if dn(S x ,Tx)>Sn. 

If r = then for any particular value of Tx = tx the Renyi entropy 14 of order can be bounded by 

H (S^|T^ = t x ,F = 0) < log I y ( ■." ) I < nh(S), 




where the last inequality comes from a well-known bound (see e.g. Lemma 16.19 in [40]). The monotonicity of classical Renyi 
entropies implies that 

R m ^(Sx\Tx=tx,T = 0)<U o (Sx\Tx=tx,T = 0). (11) 

If T = 1 then we have no bound better than the maximal value Hmax(Sx\Tx — tx, r = 1) < n. It can be shown (see e.g. 
Section 4.3.2 in [41]) that the conditional max-entropy for classical states reduces to 

H max (Z|F) log y Pv[Y = y] ■ 2 H — ^ Y =y\ 

As neither of our bounds depends on the particular value of Tx = tx, they will not be affected by averaging over all strings 
tx- Hence, we only need to average over T 

2Hm^(s x \T x T) = Pr j r = qj . 2 H»ax(s A -|T^,r=o) + p r [p = 2] . 2 H max(s , ^|T Ar ,r=i) 

< ( 1 - - )2 nh ^ + -2" < 2 nh{S) + — . (12) 



One bit of information cannot decrease the entropy by more than 1 bit (see e.g. Proposition 5.10 in [41]), hence 

H max (^|T^) < H max (5*|7>,r) + 1. (13) 

14 A11 entropies are evaluated on P§ x t x ' exce P t f° r Hmin(Sx\B') which is evaluated on Ps x B> ■ 
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Hence, from (9), (12) and (13) we get 

a < 2p 



2 -n(l-h{S)) + £ 
P. 



which directly implies our claim. 

Finally, Theorem V. 1 follows directly from Lemmas V. 1 and V.2. 



VI. Conclusions and open questions 

Our interest in bit commitment protocols based on the relativistic constraint was sparked by recent papers by Kent [27], 
[1], While the author gave an intuition for the security of the protocol based on BB84 states, no explicit security bounds 
were given. Once we had proven the security of the protocol and calculated such bounds, we became interested in other split 
models: which of them can give us security and in which of them are quantum protocols more powerful than classical ones? 
We have investigated the minimal split assumptions that might allow for secure bit commitment and we have shown that they 
are indeed sufficient. We have found that in the /3-split under the global command quantum protocols are more powerful than 
classical ones. 

We have proven security of bit commitment with respect to the weakly binding definition, which is non-composable. We 
also know that the usual stronger definition (which would imply composability) is not achievable. We cannot hope for universal 
composability but maybe it is possible to prove some weaker form of composability. For example, is it possible to combine n 
bit commitment protocols [ 1 ] to obtain a secure string commitment scheme? If it is not secure one might investigate if there 
are some extra constraints (e.g. that the commit phases are executed sequentially or that the unveilings happen simultaneously 
at space-like separated points) that would guarantee composability. 

One might also wonder whether these models allow us to construct other cryptographic primitives. Probably the most 
natural one to look at would be oblivious transfer [42], [43]. Unfortunately, the primitive of oblivious transfer requires the 
security to last forever. This would only be possible if certain parties remained split forever, which cannot be motivated by 
relativistic assumptions. Moreover, if certain parties were to remain split forever then oblivious transfer can be implemented 
even classically [20]. It is possible, however, that some weaker form of oblivious transfer (in which the security does not last 
forever) can be proven secure from in relativistic models. 



Appendix A 

HOEFFDING BOUND 

In Lemma 7 we need to bound the probability that sampling a small, random substring gives rise to the statistics which is 
very different from the true statistics of the entire string. The Hoeffding bound is exactly the tool we need. Suppose that we 
have a string of length 2n which contains n err errors and let A = ^ denote the error fraction in the whole string. Let us take 
a random sample of the string of size k and denote the error fraction in the sample by A. Then, the Hoeffding bound [ ] 
states that 



A>A + - 



< exp 



--kd 2 
2 



Adding an extra event cannot increase the probability 



Pr 



A> A + - AA = 



< exp ( ~-jk5 2 



The expression inside the square bracket can be rewritten, giving us 



Pr [?ierr > Sn A A = 0] < exp ( - -kS 2 



This is exactly the bound we use in (10). 



Appendix B 
Composability issues 

For the sake of completeness we state some observations concerning composability. On one hand we show that the weak 
bindingness definition is not composable (by giving an explicit counter-example). On the other hand we argue that the usual 
stronger definition [ ] cannot be satisfied in the split setting. 
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A. Counter-example to the composability of the weakly binding definition 

In Section II-E we explained what it means that a bit commitment protocol is weakly binding and we also said that the 
definition does not guarantee composability, e.g. executing the protocol n times does not necessarily give a secure string 
commitment (string commitment is an extension of bit commitment in which we are allowed to commit to a bitstring of 
length n rather than just a single bit). Let us explain what the source of the problem is. Consider a bit commitment protocol 
which is binding in the sense that with probability | Bob can unveil either bit successfully and with probability | he will 
fail regardless of his intentions. Clearly, we would not call this protocol secure. However, as p n = pi = i it satisfies the 
e-weakly binding definition for e — 0. To expose the problem even further consider the task of string commitment. Analogous 
to the bit commitment case suppose that at the end of the commit phase Alice and Bob share a state pab- Let q s (pAB) be 
the probability that Bob successfully unveils string s. Then it is natural to say that a string commitment protocol is 5-weakly 
binding if for all states pab it satisfies 

J2is{pab) <l + 5. 

s 

Now consider a string commitment protocol such that Alice with probability ^ accepts anything while with probability i 
rejects everything. It is clear that this is not a secure string commitment box as q s (pAB) = ^2™ = 2™ . However, if we 
look at each bit separately we will find that Po = Pi = and so each bit commitment is weakly binding. This shows that 
combining n weakly binding bit commitments does not imply that the resulting string commitment is secure. 

B. Impossibility of satisfying the stronger definition 

Definition B.l. [12] A bit commitment protocol is e-binding if the fact that Alice is honest ensures that for any state at the 
beginning of the open phase, pab, there exists an extension of the form 

Pabd = Pd(0)|0)(0| b ® p AB + P D (1)\ 1)<1 \d ® Pab, 

where D is a classical register and Pd is a probability distribution, for which the conditioned states satisfy pi^t,(p b AB ) < e 
for be {0,1}. 

While this definition has proven useful in the bounded and noisy storage models [11], [14] we argue that it is generally 
inapplicable outside of these scenarios. The security in these models results from the fact that Alice and Bob cannot purify the 
protocol, as there is a subsystem, referred to as the environment, E, which they do not have access to. In other words pab is 
not pure because we trace out the environment E, e.g. a pure state \4>)abe leads to pab — tre \4>)(4>\abe- The following 
argument shows that if the model does not prevent the parties from purifying the protocol then Definition B.l can only be 
satisfied for t>\- Suppose that Bob commits to an equal superposition of and 1 (as explained above). If Alice and Bob 
start in a pure state and execute a purified version of the protocol (i.e. implement all operations as unitaries, generate coherent 
randomness and keep all the measurements quantum) then the state at the beginning of the open phase is pure. One possible 
opening strategy for Bob is to measure the control qubit, which collapses the state. The collapsed state is exactly as if Bob 
had generated a random bit b at the very beginning of the protocol and honestly committed to it. Such a strategy gives us 
a lower bound on how well Bob can open each bit, namely Pb(pAB) > | for 6 e {0, 1}. As the overall state is pure at the 
beginning of the open phase, any classical register D must necessarily be independent, which means that p AB = p\ B — pab- 
Then pi(p AB ) = Pi{pab) > | so Definition B.l can only hold for e > \. This argument shows that Definition B.l cannot be 
satisfied by protocols that do not assume the presence of some external system inaccessible to either party. 

Appendix C 
Guaranteed message delivery time models 

Suppose that Bob, based on Earth, exchanges messages with Alice, who is on the Moon. Special relativity states that no 
message can travel faster than the speed of light, hence the minimum delivery time equals about 1.26s. This scenario motivates 
the study of models in which there are two separated sites and while intra-site communication can be instantaneous, any 
inter-site message takes at least At to be delivered. We also assume that the inter-site (classical or quantum) channels are 
perfectly secure (neither party can read or alter anything that is on the wire). 



A. One agent per site 



At 



Bob 



Alice 



The simplest model assumes that each party controls one site. Clearly, if Bob sends a bit b to Alice he is committed to it. The 
commitment is perfect because at time t = Bob is fully committed (he cannot alter his commitment at any later time), while 
at the same time until time t = At Alice is fully ignorant about the commitment. The drawback of such a scheme is the fact 
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that the commitment only lasts for At and then automatically opens. Such schemes have been studied before [ ] but in a 
slightly different context. The conclusion is that for certain applications (e.g. constructing a strong coin flip, signing contracts) 
such timed commitments are good enough, while for others (e.g. Yao's construction of OT using quantum communication [45], 
[43]) they are not. To illustrate the limitations of this model let us consider if it is possible to construct a commitment that 
lasts for longer that At. Classically, this is not possible and the intuitive argument is simple. In the absence of noise classical 
protocols are fully deterministic and no probabilities can arise. For each of the bits Bob either can (pi, = 1) or cannot (pi, = 0) 
unveil it. Hence, the distinction between being and not being committed is sharp (either po +pi = 2 or po +pi = 1). Bob being 
committed implies that the information beyond his control determines the bit. As Alice will have received all the messages in 
transit after time at most At she will be able to learn the committed bit. Therefore, no commitment can be made longer than 
At. In the quantum world the situation is more complicated due to two things. First of all, quantum mechanics is a probabilistic 
theory so there is no sharp distinction between being and not being committed — Bob can be partially committed. The second 
complication is the no-cloning theorem. Suppose that at some point Bob becomes, to some extent, committed, which means that 
the information on Alice's side combined with the messages on the wire give away some information about his commitment. 
Now, assume that Alice waits until the messages arrive (at most At) and does some measurements to leam something about 
Bob's commitment. Clearly, the standard hiding-binding trade-off applies. However, the honest protocol might require Alice 
to return some states to Bob before the messages arrive and so by keeping them she takes a risk of being caught cheating. 
It is an open question if this time-constrained scenario gives us some advantage over the standard scenario for constructing 
cheat-sensitive bit commitments. It is clear, however, that no secure (hiding) bit commitment can last longer than At. Hence, 
for this specific purpose quantum and classical protocols are equally powerful. 



B. Two agents per site 




This model assumes that each party has a trusted agent at each site (Bob trusts his agent Brian and Alice trusts her agent Amy). 
Protocols implementing bit commitment in such a scenario, in which the commitment can be sustained indefinitely as long 
as messages are exchanged at each site have been presented in [24], [25]. After the exchange stops the commitment remains 
valid for At and then expires. These protocols have been shown to be secure against classical attacks and are conjectured to 
be secure against any quantum attack. 



Appendix D 

Classical protocols against quantum adversaries 

Some of the protocols we present are purely classical but in order to determine whether they are secure against quantum 
adversaries we need to translate them into the quantum formalism. This section describes briefly how this can be achieved and 
analyses the security of these protocols in the quantum setting. While the actual security proofs may appear trivial, we have 
decided to include them for completeness. 

A. Classical protocol in the quantum formalism 

Sending a classical bit b € {0, 1} is equivalent to encoding it in the computational basis and sending the resulting state \b) 
to the other party. Receiving a classical bit corresponds to receiving a qubit and immediately measuring it in the computational 
basis. 



B. Bit commitment from secret sharing 

Here we analyse Protocol 1 from Section IV-A. If Alice and Amy are honest they will measure the qubits they receive 
immediately in the computational basis. Once the measurement outcomes are known Bob's commitment is well-defined and 
he will not be able to cheat. If Bob is honest r will be a truly random bit. Then what Alice and Amy receive can be described 
by the following density matrix 

pU = |[|0){0U ® \d)(d\ A , + \1)(1\a ® |1 - d)(l - d\ A ,]. 

It is easy to convince ourselves that while p AA , and p\ A , are perfectly distinguishable the reduced states are fully mixed, 
Pa — Pa = P°A r = p\' ~ f ■ Hence, Alice and Amy remain perfectly ignorant about Bob's commitment as long as they are 
separated. 
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C. Bit commitment in the local command 

Here we analyse Protocol 2 from Section IV-B1. Clearly, the protocol is perfectly hiding because Alice does not receive 
any messages until the beginning of the open phase. To show that it is also weakly binding we need to employ no-signalling 
between Bob and Brian. 

Lemma D.l. Protocol 2 is weakly binding with e = 0. 

Proof: Suppose that Bob and Brian want to cheat. At the beginning of the open phase each of them picks an opening strategy 
from sets R and S, respectively. Note that this has to be done independently because they are not allowed to communicate. 
Bob receives the command so his distribution will in general depend on the command and if the command is b denote the 
probability of picking r e R by p b R (r). For the second player the distribution has to be fixed and the probability of picking 
s G S equals ps(s), regardless of what the value of b is. Recall from Section 11-E that p\, is the probability that Alice accepts 
the commitment if the command is b. Hence, we can write 

Pb = ^2^2p b R (r)p s (s)p(x = b,y = b\r,s) < ^2p b R (r)p s (s)p(y = b\r,s). 

r£Rs£S reRsGS 

By no-signalling we know that p(y = b\r, s) does not depend on r so we can write p(y = b\s) instead. Then we get 



Pi < [p R( r )Ps( s )p(y = °l s ) +PR( r )Ps(s)p(y = l|s) 

~ ses 

^2ps(s) p{y = 0|s) +p(y = l\s) 



Pa 

rS-RseS 



= 1. 



ses 



One might also wonder whether the protocol satisfies the stronger binding requirement (Definition B.l). However, a similar 
argument to the one sketched out in Section V-B shows that the stronger definition cannot hold. 
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